On Tue, Jul 12, 2016 at 4:13 PM, Gordon Messmer <gordon.mess...@gmail.com> wrote:
> On 07/12/2016 10:44 AM, Go Canes wrote: > >> >> No, they don't. Private keys belong on your closest system, on an >> encrypted volume. Often, you will only need one. >> >> >> If the OP uses ssh to go from system1:user1 to system2:user2, and then >> wants to use ssh to go from system2:user2 to system3:user3, are you saying >> that only system1:user requires a public key, and that system2:user2 can >> ssh out without having *any* public key? >> > > > No, I said "private key". > My bad - I *meant* private key, but obviously my fingers typed out "public" instead. > > If you are user1@system1 and you use ssh to log in to user2@system2, and > if you also have an ssh agent on system1 and instruct ssh to forward a > connection to the user2@system2 session, then you don't need a private > key in the user2@system2 home directory to connect to user3@system3. You > only need to have the public key which corresponds to the private key > available to user1@system1 installed for user3@system3. system3 will > request ssh authentication from user2@system2, and that request will be > forwarded back to the agent at user1@system1, which will answer it. > > Using agent forwarding, you only need private keys on your workstation, > which you presumably have encrypted and otherwise made very secure against > an attacker obtaining your key files (which should, themselves, be > encrypted key files within the encrypted filesystem). > > I was not familiar with agent forwarding in this manner. Thank you for the explanation. Hopefully it will also be useful to the OP.
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
